CVE-2026-42033
Published: 24 April 2026
Summary
CVE-2026-42033 is a high-severity Prototype Pollution (CWE-1321) vulnerability in Axios Axios. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Transmitted Data Manipulation (T1565.002); ranked at the 27.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely remediation of the prototype pollution flaw in Axios by upgrading to fixed versions 1.15.1 or 0.31.1 as recommended in the GHSA advisory.
Requires vulnerability scanning to identify the Axios CVE-2026-42033 and related prototype pollution risks in dependencies for proactive patching.
Ensures receipt and implementation of security advisories like GHSA-pf86-5x62-jrwf to address the Axios vulnerability and audit co-dependencies.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly enables modification and interception of JSON responses (transmitted data) and hijacking of the HTTP client transport layer once prototype pollution is achieved.
NVD Description
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnProperty guard, an attacker can (a) silently intercept…
more
and modify every JSON response before the application sees it, or (b) fully hijack the underlying HTTP transport, gaining access to request credentials, headers, and body. The precondition is prototype pollution from a separate source in the same process. This vulnerability is fixed in 1.15.1 and 0.31.1.
Deeper analysisAI
CVE-2026-42033 is a prototype pollution vulnerability in Axios, a promise-based HTTP client used in browsers and Node.js environments. In versions prior to 1.15.1 and 0.31.1, Axios lacks a hasOwnProperty guard when reading keys from Object.prototype, allowing pollution by co-dependencies to compromise its internal state. This leads to two primary impacts: silent interception and modification of JSON responses before they reach the application, or full hijacking of the underlying HTTP transport layer.
Exploitation requires an attacker to first achieve prototype pollution on Object.prototype from a separate source within the same process, such as a vulnerable co-dependency. A remote attacker with no privileges can then leverage this precondition over the network, though it demands high attack complexity. Successful exploitation grants high confidentiality and integrity impacts, enabling the attacker to alter all JSON responses or access sensitive request details including credentials, headers, and body content.
The official GitHub security advisory (GHSA-pf86-5x62-jrwf) confirms the issue and states that it is fully remediated in Axios versions 1.15.1 and 0.31.1, recommending immediate upgrades to these or later versions as the primary mitigation. Affected users should audit dependencies for prototype pollution risks and review co-libraries for similar issues.
Details
- CWE(s)